https://live.paloaltonetworks.com/t5/general-topics/how-to-block-people-who-are-trying-to-exploid-vulnabillities-for/m-p/23660#M17243 <HTML><HEAD></HEAD><BODY><P>I guess the short answer is: contact your Sales Engineer to file this as a feature request.</P><P></P><P>PA have today two methods to deal with annoying clients (over time): zone protection and dos protection (unfortunately none of them can today be used as you requested as I know).</P><P></P><P>Check out <A __default_attr="3094" __jive_macro_name="document" class="jive_macro jive_macro_document" href="https://live.paloaltonetworks.com/"></A> for more information.</P></BODY></HTML> Tue, 26 Jun 2012 06:59:40 GMT mikand 2012-06-26T06:59:40Z https://live.paloaltonetworks.com/t5/general-topics/how-to-block-people-who-are-trying-to-exploid-vulnabillities-for/m-p/23659#M17242 <HTML><HEAD></HEAD><BODY><P>Hello everyone,</P><P></P><P>Our PA's are using the thread prevention system which drops traffic that is trying to exploid vulnabillities, do DoS attacks etc.</P><P></P><P>All works very nice - but it's only affecting the attempt on an individual basis.</P><P></P><P>F. ex. - someone performs a "DNS ANY Queries Brute Force DOS Attack" and gets blocked. But then the same source re-tries shortly after. And again and again.</P><P></P><P>I'm looking for a way to automatically block the source IP for a period of time.</P><P></P><P>Say that source IP 119.147.138.171 gets caught trying to do a "DNS ANY Queries Brute Force DOS Attack". If the source IP does this a number of times - then this IP should be completly blocked for a prolonged period of time - f. ex 24h</P><P></P><P>Now the big question is - how do we do that ?</P><P></P><P>Br</P><P>Jørgen</P></BODY></HTML> Mon, 25 Jun 2012 21:14:27 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-block-people-who-are-trying-to-exploid-vulnabillities-for/m-p/23659#M17242 sitecore 2012-06-25T21:14:27Z https://live.paloaltonetworks.com/t5/general-topics/how-to-block-people-who-are-trying-to-exploid-vulnabillities-for/m-p/23660#M17243 <HTML><HEAD></HEAD><BODY><P>I guess the short answer is: contact your Sales Engineer to file this as a feature request.</P><P></P><P>PA have today two methods to deal with annoying clients (over time): zone protection and dos protection (unfortunately none of them can today be used as you requested as I know).</P><P></P><P>Check out <A __default_attr="3094" __jive_macro_name="document" class="jive_macro jive_macro_document" href="https://live.paloaltonetworks.com/"></A> for more information.</P></BODY></HTML> Tue, 26 Jun 2012 06:59:40 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-block-people-who-are-trying-to-exploid-vulnabillities-for/m-p/23660#M17243 mikand 2012-06-26T06:59:40Z https://live.paloaltonetworks.com/t5/general-topics/how-to-block-people-who-are-trying-to-exploid-vulnabillities-for/m-p/23661#M17244 <HTML><HEAD></HEAD><BODY><P>You can indeed do this. In PAN-OS 4.0, a new action called block-ip was introduced. You can block based on source IP or source and destination IP pair. You can use this action in the vulnerability protection profile &gt; Exceptions, find the signature and change the action to block-ip. Set the time from 1-3600 seconds. </P><P></P><P>On the zone protection profile, you can also use the block-ip action associated with the reconnaissance protection for port scans and host sweeps. </P></BODY></HTML> Tue, 26 Jun 2012 15:23:58 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-block-people-who-are-trying-to-exploid-vulnabillities-for/m-p/23661#M17244 fredallee 2012-06-26T15:23:58Z https://live.paloaltonetworks.com/t5/general-topics/how-to-block-people-who-are-trying-to-exploid-vulnabillities-for/m-p/23662#M17245 <HTML><HEAD></HEAD><BODY><P>*doh* forgot about that one <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P>When block-ip is activated, will each attempt from the blocked client still be logged (or if the PA box will no longer log the client attempts - can one override it so it will)?</P></BODY></HTML> Tue, 26 Jun 2012 18:44:22 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-block-people-who-are-trying-to-exploid-vulnabillities-for/m-p/23662#M17245 mikand 2012-06-26T18:44:22Z https://live.paloaltonetworks.com/t5/general-topics/how-to-block-people-who-are-trying-to-exploid-vulnabillities-for/m-p/23663#M17246 <HTML><HEAD></HEAD><BODY><P>Spot on - thanks a lot <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /></P><P></P><P>Br</P><P>Jørgen</P></BODY></HTML> Wed, 27 Jun 2012 16:08:15 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-block-people-who-are-trying-to-exploid-vulnabillities-for/m-p/23663#M17246 sitecore 2012-06-27T16:08:15Z